This article contains information on creating Microsoft 365 transport rules to direct emails flagged by Mimecast as graymail to the Outlook Junk Folder, by setting specific headers and Spam Confidence Levels (SCL).
Establishing a transport rule is essential for effectively managing emails identified as graymail by Mimecast. Without this rule in place, you may find these communications cluttering your Inbox, leading to decreased productivity and potential oversight of important messages.
Considerations
- The Spam Confidence Level (SCL) determines how Microsoft 365 treats the email. Setting the SCL to 6 tells the system to classify the email as spam, automatically placing it in the Junk Folder.
For more information on SCL, see Microsoft's article.
- The X-Mimecast-Bulk-Signature: yes header added by Mimecast identifies bulk or graymail, which triggers this rule.
To learn more about how to have this header added to all graymail, please refer to the Graymail Detection Action section in the article Spam / Phishing - Spam Scanning. Choosing Tag Headers as Graymail in your Spam Scanning Definition for Graymail ensures that the header X-Mimecast-Bulk-Signature is added to all graymail detections.
Transport Rule Configuration
You can create a transport rule in Microsoft 365 that directs emails with Mimecast's graymail header to the Outlook Junk Folder, by using the following steps:
- Access Exchange Admin Center:
-
- Log in to the Exchange Admin Center.
- Navigate to Mail flow | Rules,
- Define the rule:
-
- Click on + Add a Rule, then click on Create a new rule.
- Name the rule, e.g: "Move Graymail to Junk".
-
Conditions:
- Select the dropdown underneath Apply the rule if, and choose The message headers...
- Select the dropdown on the right, and choose matches these text patterns.
- Select Enter text and add specify header name: "X-Mimecast-Bulk-Signature".
- Select Enter words and add specify words or phrases: "Yes".
- Click Add and Save.
- Set the Action:
-
- Select the dropdown underneath Do the following and choose Modify the message properties.
- Select the dropdown on the right and choose set the spam confidence level (SCL).
- Set the SCL to 6 to ensure the email will be treated as spam and placed in the Junk Folder.
Please note that a value of 6 is based on the default Microsoft configuration. If you have changed the default configuration, then you should use the value you have configured.
-
- Set the required rule settings:
- If you want to activate the rule from a specific date, you can check Activate this rule on, and it will select today's date and time.
- Regardless of if a date and time was selected, click on Next.
- Set the required rule settings:
- Save the rule:
-
- Review the rule, ensuring it applies to inbound messages, and click on Finish.
- Review the rule, ensuring it applies to inbound messages, and click on Finish.
- Turn on the rule:
-
- If the rule was not enabled on the Rules page, you can enable it as follows:
- Click on the Rule to open the side view.
- Turn on the toggle next to Disabled to enable the rule.
You can move the rule up in priority if it's not taking effect.
- If the rule was not enabled on the Rules page, you can enable it as follows:
Marking a Message as Not Junk
Microsoft Outlook End Users can mark an item in their Junk folder as Not Junk, which moves the message to the Inbox. See Microsoft's article on adding recipients to the Safe Senders List in Outlook, resulting in future messages from safe senders being received in the Inbox.
Comments
Will this new function replace the Mimecast Personal Portal to review “On Hold” emails?
Regards
Michel.
Hi - If the user has a graymail message in their Junk folder and attempts to mark the message not as junk from within Outlook, though, since Mimecast is flagging it as graymail, wouldn't future messages from that sender still go to the Junk folder?
Unless I'm mistaken, Outlook doesn't send anything back to Mimecast whitelisting the sender, so I'm concerned that this may cause confusion and frustration from users if they keep reporting the same sender as “not junk” and getting the same result. I do understand that the user can go into their Mimecast account to whitelist a sender, but from my experience, they won't do that.
Hi Michel
Thank you for your comment.
Nope, not at all. This is to tag Graymail emails to junk only
I hope this response was helpful.
The document may need updating as number 2 doesn't explain what words to match the header against.
I know the image shows the correct settings but may not be easy to spot for some.
See update below in italics.
Define the rule:
Got a small test group going for this now, I can report back my finding if anyone interested.
Hi,
Maybe I'm being a bit silly, but what happens to those emails today if this is not configured? what needs to change on the Mimecast end to allow this to happen, this article could provide a wider understanding, simply configuring a transport rule doesn't show the true impact of the change. Not great!
Thanks
Dave
Yes please Jacob. Interested to hear to hear the technical aspect and the users feedback.
Hi Jacob
Thank you for your comment! To ensure we provide you with the best possible engagement, please post in our Community. The collaboration will not only be beneficial for Cybersecurity peers but also for the Mimecast team.
If your issue requires immediate attention or if you would like to initiate a new support case, please proceed accordingly. here.
Thank you
@Jacob Taylor - Admin
Thanks for sharing. I set up a similar rule for spam where messages with spam tag go to Junk or, if the score is high enough, straight to Microsoft’s quarantine.
It’s been working well, but one thing I ran into is that you might need to add an exception rule before it for allow-listed senders. In our case, even if someone is allowed in Mimecast, the message still gets tagged and can end up in Junk or quarantine, which caused some confusion for users.
Not sure if that applies to bulk or graymail too, but just something to keep in mind. Now for that group we have to manage allow lists in both Mimecast and Exchange, which isn’t ideal. Hopefully graymail headers aren’t added if the sender is already on the allow list.
Curious to hear how your testing goes.
Hi Shawn P. Beighle
Thank you for your comment.
If a user marks a graymail message as "not junk" in Outlook, future messages from that sender may still be flagged as graymail by Mimecast and moved to the Junk folder. This is because Mimecast's graymail detection operates independently of Outlook's junk mail settings. To prevent future messages from being flagged, you may need to adjust Mimecast's graymail policies or create a transport rule in Microsoft 365 to handle graymail headers differently.
I hope this answers your question.
Reiterating the point made by Shawn P. Beighle, is there any roadmap to get the “not junk” function operational?
Mimecast have got the Outlook Report Phishing working. Is there something similar that Mimecast can leverage to get the “not junk” function working for users?
I feel the dependency to use Junk folder is a really bad advise and bad end-user experience. is Mimecast looking to get rid of their on-hold (quarantine)? We've turned off Outlook Junk folders at the organisational level for many years in favour of Mimecast hold (quarantine) to simplify and unify the workflow and end user experience. Many users still struggle to keep on top of their Mimecast held messages and managed senders. Reintroducing Junk folder just adds to the complexity and convolutes this further not only for end users but for admins alike. Mimecast should really incorporate all security improvements across all layers into it's existing design, i.e. all greymails by design should go into Mimecast hold.
Hi Nadeem Rabbani,
Thank you for your feedback. This has been sent to the appropriate team.
Hi Tom Clay
Thank you for your comment.
We escalated your comment to the relevant product team, and they informed us that they are exploring options with engineering. At this time, we cannot specify when we will receive feedback from engineering. If we receive feedback sooner, we will revert with the updates.
I hope this helps. Thank you.
Thanks Admin-TM.
I have been talking to technical support too, and although they had alternative ideas for a solution to managing a white list it look like the misleading information in this document is causing more confusion that is required.
SCL 9 will highlight to windows defender that the item is to be quarantined, not moved to junk folders.
SCL 5-6 will move the item to junk folders UNLESS the recipient has marked the sender in their Safe Sender List.
When you mark an item as not junk this adds the sender to the Safe Senders List only for that recipient. Its also very easy for users to maintain the list in Outlook.
I think we are now in a position we want to be. Mimecast is identifying all graymail, and users can self-prescribe what is and isn't “Junk” with the safe senders list.
Summary - “Not Junk” feature will work - if the right SCL is applied.
Here is the MS article for SCL levels: https://learn.microsoft.com/en-us/defender-office-365/anti-spam-spam-confidence-level-scl-about
And the MS article for Safe Senders List: https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365
hi Tom Clay,
Thank you for your feedback.
We've updated our article recently, to set the SCL level to 6.
In addition, we've updated the Considerations section to link to Microsoft's article about SCL, and added a short paragraph at the end about how end users can mark messages as Not Junk.
Hi Dan,
Thank you for your comment. The article has since been updated.
So when we did this it broke the “postmaster” emails from reaching our users – did anyone else have that?
Hi Dalton,
Many thanks for your feedback.
If you're still facing issues with your “postmaster” emails not reaching your users and need assistance, please raise a Support case here.
Please sign in to leave a comment.